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SECURITY OP THE 



INTRODUCTION 



1 The present paper contains a review of the situation with 

re commendations on the extent of the remedial action required and on the 



me t hods to be adopted 



to convince the governments concerned of the need 



for action, without disclosing sophin t icated crypt analyt ic techn iques . 



Qvi 



views arc siumnariscd in the following paragraphs : - 

rrHH . u A \\ A\\ . . .. 



It is the[; | view that at the present time the insecurity of 

t he I I is of considerably mor e value to the Russians 

<£ thdh.it is to U t K. and U. S. , anerthat were tiiis source of leakage removed' 
* 7 the Russians could not obtain the same in formation by physical means . 

0*1 t , K^war leakage of - " tiiis Rind would he” even more damaging to interests 

and profitable to jbhe Russians owing to great increase in quality and 
v quantity of the telecominunicat ions of friendly powers, and the increased 
difficulty of obtaining information by non-Comin t means. iippendix ’A’ 
to this paper contains a survey made at with annexure s givin g 

; r j A re cent examples of information , of value tu KU5..ia, passed byj |powers 
in i I appendix ‘B’ contains some examples, 

taken frara| | War Histories, showing the kind of damage which 

A the ;ocis powers aid to one another by use of | | as well as 

the damage suffer ed by the • CL. lies from the insecure communicat ions of 
the! I 










No/cup- to-date 



evidence is available on the st ate of 
|, but it may be pre: 
~|of all the countries listed above ar 



it may be presumed that the i ~| 

sted above are more or less insecure. 



'’jvt'-J'isi A: and in asjmuch need of remedial action as the same countries'! 

•" ~ systems. (§)lt is also desirable in the | ~| view to seek info 

^3!ll lI;Lthe I 






is also desirable in the | ~| view to seek information on 

' | although 

]of these countries appear to be satisfact ory . 

o 

| view is that _th£o rob lorn is one for discussion among 




necessary anuindeed irrelevant to describe the techniques of cryptanalysis 
used in exploiting these weaknesses. 



i 
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SCOPE OF THE PROBLEM 



(a) 

1. 



It was agreed at the^jT 



waa in / the common interest to renacn 
against 1 / a^facfT 5 * ; 



~ \ Conference of May 1951 that it 



secure 



mifm 



A reservation was mode in respect of the 
following reasons: 



"Ml 






• (i) that no likelihood existed of the £ 
radio channels; 



] extending its U3e to 






J 



(ii) that our knowledge of the 
solely from "clandestine” 



(iii) that sophis ticated techniques, 
the | l were used in exploit 



existence of the machine was derived 
sources, and 

that must not be disclosed to 
ing it. '\ 



The 



have me.-uiwhiic begun to use the machine on some 



»’«! t j , 3,i 

v . first objection, and to some extent also of the second, since th e "clan- 



radio channels and intend to use it on others. This disposes of the 






E 



— * W m 

tine" source referred to was s imply the monitoring iit 



]of 



Jfroin the 

T lie approach described in the prenull t piper 



is assigned to avoid any 



t 

: -i.’ , ' _ 

necessity for disclosure of sophisticated techniques. It is therefore 
lit oonBider ed desirable that thj I bo in cluded in any discussions 



h;; 



v.'ifl 

.‘.♦f+ifc.* 



with the 

■(b) IZ= 



] 



4. The 

proposal to 

.< — . L. 



Conference of May 1951 consi dered and rc.iected 



take action to improve 
cyphers for twot-reaaons: 



Ip -B-pr 



*-.,t v ; :: I' ';,! 

■ f Sjl ‘ 

’•v*# 



"(i) the 

NATO and without rove 



insecurity of the imp 



the security of 



through the mechanism of 
Comint , have initihfoid 






[ 



ration of 

action which is expected to correct in large measure 

ortant crypt ocommunicat ibns of the 
and 



iil 

W® fS 



(ii) any correction of the remaining important are as of 
insecurity of the cryptocommunications of thel 



[ 



would involve disclosure of success in sophisticated 



crypt ana' 




i wouli 
ysi jk 



and possibly lead to a demand for revelation 






of techniquejs, both of which revelations must be avoided," 
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5, I! Although considerable progress has been made since 1951 in the 

provision of NATO cyphers, the I 1 show 

little sign of improvement. ' 

vf)^(i) ; | I in | | are wide open from 

* the highest level downwards and carry a large volig ,^ of. intell- 

M i gfinns tViPt. PpTn cTt only^E oTE^ [ themselves.- 

but also the t heir ..a llies; fo r example, they contain revel- 
at ions of| — ' | capable of ruining not only the 

\ | against tne Viet Minh but also that of 

, and they give details of forthcoming American Aid. 
\ see Appcnaix ' A ' , Annexurc 3. * 

(ii) jj "Third level" communications of NATO forces are sent entirely 
in national cyphers. The content of messages passed at this 
level may be less immediately revealing than that passed at 
higher levels, but (in Vm. certainly and probably, also in peace) 

|! could be treated by "inferential" and "fusion" methods and made 
| to yield valuable intelligence not available to an enemy by any 
V:, f non-Sigint means. 



7. The general question of iraprovejnent of the national cyph ers of 

the other NATO powers has never been discussed officially between | | 



(i) The U. S. view-on this subject in 1951 was however indicated by 

the following statement made by an ad hoc committee of U. S, C. I. B. 
during unofficial discussi ons arising from use byl lof 

j — | discuss NATO matters: 






"Remedial action involving the entire body of I I 

j communications is not n ecessary from the point of view of 

in fact it would be undesirable from 
tne point or view ox "conservin g for the U. S. this and other 
important I 



It was ultimately agreed that the U. S. Government should make 
a high level approach designed to "shock" thel I into 

using the | | without however actually revealing 

that their own cyphers were in? ecurc. 



There appears to be some tendency to increase the use of one-time 
pads but we have no guarantee that the pads are properly made or even 
that the usage is truly "one time", 

(•^Report of U. S. C. I. B. ad hoc Committee on Communication 

Security, September, 1951. 
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A demarche was ma de by the U.S. Ambassador to 
in spit e of whichf 
still a 

Appendix H armexufe Try. 



8. The j | vi ew is, ’’shock tactics” of this kind are unlikely 

to he effective especially when they are accompanied by a "cover story" 
which is unlikely to be believed; the , only way to a chiev e improvement 
i n security habits is by educative action and by i«Q.Ufince/of_.the 
"public opinion" (if such a terra may properly be used of a very 
s'ecl'et subj'eotj of other powers'! I officers. 



9. But the dictum of t he U. S.C.I.B. ad hoc Committee referred 

to in para 7 above has in the view another serious weakness in that 

it is based on the assumptio n mac it is possible in matters of cypher 
security to "have it both ways”. This assumption has appeared at 
various times in discussion in t»<o different forms : 

(i) that it is possible to devise cyphers that are just good 
enough to defeat the Russians but contain weaknesses 
that can be I fl ‘ we cannot knew 

anything of'tm. 1 _V61 rr corfipetende of U.S.S.R. 
cryptanalysts. 

(ii) that it is sufficient to limit improvement of security 

to specified cryptochannels or to telegrams on specified 
subjects. This will not do; it is not possible to- 
forecast in advance which cryptochannels are going to carry 

S ort ant messag es and it is not enough to insist on use 
[ when documents are l I 

hout also taking steps to protect the security of NATO 
fringe traffic or national comment on NATO discussions 
which may legitimately be sent in| | 



10. Little is known, f rom! I sources, of the 

of any European pewer except | and if as seems probable tney are no 

better than the| ~ itnev would - be7~lrr vary ing degrees, 

dangerous" to the security of any forces operating with them in war. 

(e) Cypher machine development in Europe 



11. I±_.is known that new cypher machines are being developed by 

several governments and by commercial firms operating in neutral 

countries. 

(i) The have designed cypher machines which they 

intend to use for their| | these machines 

embody sane fiarly advanced techniques but from information 
at present available appear to be most insecure. (l) 



(l) See memorandum fron | | in Washington 

to Secretariat of the Standing Group, No. 09 27/SRP ^£>#^53 , 
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(ii) The 



one time key 



] are designing random generator fo 
nothing is known of details 






production of 



(iii) TheC 



] in conjunction with 



]firm, is producing a wide range of new cypher 



machines which will undoubtedly be much better than the 
same firm's pre-war models, but may still be not secure 
against modern crypt analytic methods. 

This list is pro bably not exhau stive , and these developments 



12 . 

merit close attention from| j 1 While it is entirley possible 

that European powers may work out tJioir own salvation, with or without 
the aid of commercial firms^it is to be feared that they may only arrive 
at an intermediate stage or development when it will become difficult 
to convinc e them of t heir insecurity without revealing too much detail 
of current | thought on cypher machine design. It would be 

therefore better to appro ch these European powers before their own 
development has gone too far, and persuade then to adopt well tried 



(f) Decisions to be taken at the Conference 



(A) Countries to be covered 




13. A decision has to by taken, one way or the other, in the case 

of each NAECJ nation, whether the interests of Signal Intelligence or of 



\sa, ^ Signal Security are to prevail, 
we decide to take steps to put 
to sacrifice Signal Intelligence (probably 
the correspondence of that government as a 
oursetoes- and for the Russians. 



a nd no hal f wav ..house exists. Either 
that cryptographic house in order, and 
for ever) or we "conserve” 
Signal Intelligence target for 



I : : : 

(B) Timing of action with relation to physical security 



The 1951 Conference 
on certain_E 



14 . 

to the 
pending improvement ini 



agreed a limi 



ted programme for an approach 
"1 but recommended no action 



"Jphysicai security; U. S. have not yet 
Jc f t 



expressed themselves / satisfied that such improvement has gone far enough. 

15 While it is agreed that we ought to adjust our methods to 

taki account of differing physical security conditions in various 
countries it may be said 







4 ^ 






(j) that physical leakages will seldom if ever be so gross 

as to provide a source of intelligence as rapid, complete , 
reliable and (above all) authentic as that derived from 
a major breakdown in communication security; conditions 
need to be literally hopeless before one can say that there 
is no point in improving cypher security; 



L) 



Conversation between 



and 



February 1953. 
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One should however not delay~ihitiating action on cypher 
security pending expected improvements in physical 
security, because neither can be put right overnight, 

— i (X) 

recommendation is therefore that~there is no case 



for any further delay in approaching the I Ij land^that physical 

security of other nations might be considered as a valid reason for 
taking no action at all, or for taking modified action but not for delaying 
action. 



THE APPROACH TO THE 

17. Having settled the scope of action inten^d the Confer ence shoulci, 

in the U.K, view ; consider an approach to the| |with a view to 

first improving their communications security and then inviting them to 
associate themselves with any scheme that may have been agreed between 
I for approaches to other MTO nations. - 



18. It is recommended that a single approach be made to the 
covering all cyphers of all services in respect of which ths conference 
has decided that action must be taken. 

19. Previous projects for approac h to the cn 

the delicate Subject of the security of r |uavb been 

based on the assumption that this insecurity is due to ignorance 

of the art of cryptography which cannot be removed without exposure of 
'•sophisticated" cryptanalytic techniques. Yet . after all^the basic principles 
of cryptography are few, simple and well known to all cypher experts 
including the| and do not constitute the '’secret” upon which 

the success of cryptanalysis depends. The "secrets" of cryptanalysis are 
rather these: 






that situations arise in the use of cyphers which would 
instantly be condemned as insecure by any one instructed in 
cryptography; 

that other situations arise which an instructed x>erson 
would admit to offer at least a theoretical risk of 
insecurity, but which require "sophisticated techniques" 
to exploit them, and that these techniques have been 
devised. 



20. The only way in which improvement in| | can be ( 

eventually obtai ned is by cooperation on the technical level between 

I nnmmnninat.i on sennritv nffir.ers . . 



communication security officers. 1 — 

21 . The object of the first approach therefore would-be -t-e bring 

about a frank exchange of information that would serve as a basis for 
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subse quent discussion among responsible communication security officers. 
One of the points that the Conference must decide is whether this initial 
exchange should "be made: 

(i) at a tripartite meeting; 



(ii) at separate bipartite meetings, 

(iii) at a single bipartite meeting wher e either I I 

would state the whole case against I I 

22. The tripartite arrangement would be the best, apart from the 
fact that it would be impossible to conceal the fact thaij | and 

| had discussed the matter and exchanged information be lore the meeting 
began . The single bipartite meeting would involve eith eri | or 
in a fairly complicated cover story. If for examp le| | were 
to undertake the whole task they would be obliged to make the ca se on 
t t u “lent ire ly from material received from 

layer (ji p ai ’ rxumty i ■mga ’ s eem s -'t o make the worst of both worlds, and m any 
case whether ! I cooperat ion is explicitly admitted or not it will 

undoubtedly be assumed. It is therefore recoi.anended that the meeting 
be tripartite. 

23. The exchange can be initiated in two ways only: . 

i v .\ # 

(i) by inviting each party to describe its own communication 
security methods', which would then be discussed on general 
cryptographic grounds by the other two. 

(ii) By [ I I announcing that they are already aware 

of the existence oi security weaknesses in CZZ^I] comm- 
unications, describing them and inviting the i " "~l to 
disclose any knowledge that they may have of | | 

— I l(i) 



21u 

effect. 



The second approach is recommended, as being more sure of its 

(i) Initially at least it may be somewhat embarrassing but it 
will have less long term disadvantages in that it does 
not commit anybody t~ disclosure of details of their own 
systems -which they consider irrelevant or do not wish to 
mention. 

(ii) Although this approach implies a tacit admission of 



' 'This is something more than a polite fiction. We already know that 
t he | ~| have been monitoring our manoeuvre traffic and have found that 

they can exploit traffic security weaknesses, such as use of P/H 
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crypt analyt ic success it does not involve any disclosure 
of methods. The line t aken is "we see that you do this 
or that and we consider it on principle to be wrong 1 ' not 
"look how we can break your cyphers". 



25. After the three parties have made one another aware of the 
elements of the problem they should constitute a tripartite advisory 
conijdttee of communication security experts with terms of reference: 

(i) to examine any weaknesses in national communication 

security systems of the three powers that may come to the 
knowledge of any one of' them and may be regarded as 
affecting the interest of all; 

X! :<$P 3.3(h)(2) 

(ii) to make recommendations for remedies; PL 86-36/50 USC 3605 

(iii) to consider joint action in the common interest with regard 
to the security of other friendly powers. 

26, Once the initial approach has been made there should be nothing • 
to prevent any party from making further disclosures of any feature of 

his own security system on which he would like advice. Similarly there 
should be nothing to prevent any party who is in doubt about the security 
of another party's cryptosystem (but not able or perhaps not willing to 
prove that the system is insecure) from makin/h direct enquiry. 

27. « In consider ing the probable outcome of this ap proach and its 

effect on the I l it should be borne in mind that the | | 

ment is known to have set up, in 1951, an Interdepartmental Committee on 

~| with a technical sub-committee , although e ach Ministry continu es 
to produce its own cyphers and it is known that ] ~ 

1 and a man with considerable know- 
ledge of cryptanalysis) is a member of one of tiiese committees, (i ) 

It must therefore be assumed either that the Committees are not properly 
informed of the current cypher practices of the various Ministries, or 
of the purposes for which certain cyphers are used or that (though informed) 
__they~are“ unable for one reason or another to ma.-.e all the .improvements 
that they would wish. 

28, It will certainly not be difficult to convince the 

representatives that they ought not to use the lower grade | " l | 

cyphers and no harm would be done if we were to show them some examples. 

This is likely to come as a most unpleasant surprise to. them for it is 
inconceivable that responsible) |cryptographic experts can already 

know of the subjects for which tne I 1 1 | that have 
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no security value whatever. 



29. When it comes to the higher grade systems it is kowever necessary 

to consider whether the I I could be convinced of the insecurity of 

their systems without exposure of sohh. more or less "sophisticated" tech- 
niques: /// j fi |.| 




practices 



will have to describe the [ 

which they consider unsound. That they know anything at 
all of these practices is of course intact due to crypt analysis , 
but they need not and should not describe the methods used 
to arrive at their information; it ought to be enough to 



describe the systems used as they find them, and to 
out either ti.at they are fundamentally insecure, or 
are being compromised by misuse. 



point 
that they 



(ii) ThJ 



\jy° 



~> 



Already know onyugh oi’ the weaknesses of the 

~~ I to make 



it iairxy esy to convince tnem tnac tney are t no roughly 



insecure, wit hout describing the techniques used 
They also know that | f f f H 

broken. 



(iii) The | 

by the L 



]iy reper-.ttj 



in breaking. 
] can be 



machine is a pitetty good cypher grossly misused 



operator's carelessness 
"engineer's key", and by tfcd indicator systems, 
these practices are so cjbviously wrong that thd 



d use of message settings through 
or thruugh use of an invariable 

i-JLl 



not want us to prove th.it we can take advantage or tnem. 



Icould 



any of our 



(iv) Finally there is no neeqL to show the 

actual decrypts. The cyphers in this group are obviously 
meant to carry secret correspondence. 



Ill 

MEiiSURES TO IMPROVE 



CYPHERS 



7 



30. 



The proba ble upshot of the examination in committee of| 
I would be that the I 

iby mv 



experts are all too well 
a long term programme for 



aware of their deficiencies, that thliy 
their improvement but that they are hampered by lack of material reources. 
The Committee will then have to proceed to consider ways and means of 
improvement; should not decide at the Conference what they 



(^Th j | have already proposed an improvement of J | (not we think 

adequate) and clearly know it is vulnerable. There 13 a suggestion 
in iu. Char les Ey raud's "Precis de Cryptographic Moderne (1953)” that 
uiimodified| ~] at least is insecure. 
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propose to offer in the way of assistance and be agree d, on pri orities 

but should endeavour in subsequent discussion with the| to apply 

their aid (which will certainly not amount to an imme diate solution of 
the whole problem) wherever it best fits with I Ineeds. 



31. It is doubtful whether the C. C. M, machine proposed in the report 

of the 1951 conference should be offered now to the | | 

^i) The security of the niachine, ove n with simp lex settings, 
has been seriously challenged by | rese arch since 

1951 yV. It is not improbable that the | ~| and indeed 

other members of NATO may have guessed this from the 
extraordinary changes ini ire gulat ions which have 

been promulgated in th e paat years an d in the circumstances 
it would be wisest for| to foie stall questions 

that might prove awkward by frankly admitting that they 
have come to fear that the machine is too easily compromised 
by operator's errors. 

(ii) The 1951 proposals envisaged issue of 20 CCM imme diat cly 
and a total of 80 eventually; it is probable that | 
would find it difficult to nicet this programme today. 

\ \ \ \ i 

(iii) However if the | | themselves would like a certain 

number of COM, then these can be supplied within limits 
set by availability. 

32. One-time pad, proposed in 1951, is an excellent solution, 
wherever practicable. 

(i) The 1951 conference agreed that technical instruction 

in manufacture of random tables could be given to the | 
without disclosing cryptographic information^ and 
that this was an important and ma jor requ irement. It is 
still more important now that the| and others are 
showing signs of producing new and perhaps inferior methods 
of one time key generation. Rather than discuss these we 
would prefer to persuade the | | that our own methods 

are well tried and sound, without however appearing to 
\ "instruct” them as if they were complete beginners in the 

arc of making random key. 

\ (ii) The allocation of one tine pads is probably best organised 
by t he I I t house lvo s . We should not, as was proposed 

Y by the H.K. in 1951* produce a ready made scheme of 

individual and multiple— address ^ads, which in our opinion 



(■^The latest modification, "Lucifer", is a considerable improvement on 
the original machino , but even so CGLi must be regarded a s overdue for 
replacement. 

(■’■■^Enclosure A para 33 1951 report. 
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would §ave them time and trouble. However su gg estions from 
all parties could be considered in Committee, 

(iii) The~physical security provided by i methods of 

packaging OTP 4;S likely to be of imerbal and it is 
recommen ded that it be described. (it is also possible ■ 
that the | may wish to take into account the 

difficulties of physical security when considering any 
plan for multi-address v pad systems). 

(iv) There are undoubtedly ways of making the ouch more 

nearly secure. These might well be considered subject 
to U. S. being able to provide a substantial number of l 1 
equipments and subject to the | | finding them workable. 



(v) The I is now regarded 

-y by I I as very secure provided mac ihe basic lug 

"1 v ,‘ sex Lings are chosen from liraitod lists which can be readily 

* O'. calcul-.ted on a large computing machine*; - If U. S* 

\ are able to make this machine avail able at an early date it 

** would be very suitable for offer to ] ( or to other 

NATO powers) provided that a clear explanation were given 
of the reasons for using the limited list of basic lug 
settings. These re sons could be convincingly derived from 
first principles (need to ensure as e ven as possible a 
distribution of key values). Once again any attempt -to 
dictate would be fatal, lev-ding to suspicion of motives or 
wilful refusal to use the "good" list, 

33, It is hoped that enough has been said to dispose of the idea 

tnat the procedure advocated would lead to exposure of "sophisticated 
cryptanalytic techn iques". (Appendix C to this paper contains examples 
taken from a recent |work on cryptanalysis with quotations from 

older works showing basic principles which are obviously commonplaces 
to any modern technician and which should suffice for a criticism of most 
if not all insecure European systems in use today). 



! „«.'v 

\ nfV" 



EXTENSION TO OTHER POWERS 

34, It is proposed that other NATO powers, whose cyphers are held 

to be :i.n need of improvement should in turn be invited to send represent- 
atives to the Tripartite Committee. ( 

I 1 

35. would undoubtedly all have 
cypher experts capable of understanding and accepting the arguments used 
in assessing a cryptosystem. There is little fault to be found with their 

| | and we have no knowledge of their I I 

and could only obtain it by prolonged ^igint study (likely to be most 
wasteful of effort) or by simply asking the,;, for details. They should 
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;.vrounbly be left alone altogether or else regarded as potential givers 
of help. 



(i) 



(ii) [ 

C 



36. 



has a one-time tape generator, believed secure. 



] might perhaps undertake to educate 
| is easily readable. 



whose 



is in similar caso to 



with much knowledge of 

crypto theory which is noi' v applied in practice. Their I 



are largely insecure \ nothing is lenown irom Si;;int of their I 
cyphers and it would bo necessary to elicit information on these by 
direct questioning after we find indicated that we know tho diplomatic 
systems to be Insecure. 



37. | ~| too appears M:o be backward_in crypt matters. It is 

known that the I" ‘ I are helping the I I on Comint and it might 

be possible eventually for the | | to approach them on Comsec, on 

which they are in very 






urgent neec( of advice. 

It is difficult to (fluagtpthe level of crypt knowledge in 

m^iy all well have quite good 



oryptanalysts. Here again the only approach that cop bo tried with 
any hope of success is the educative fipo, If there is not already in 
these countries a crypt expert capable of appreciating the argument 
from first principles then they must begin by sending a man for a 
training oourso which should bo based pn the published literature. 







CONCLUSION 



Strange though it may soom, the security of a government’s 
yphers is a most unreliable index of the skill pf that government's 
pyptanalysts. If a nation uses bad cyphers the reason may be that they 
now no better, but it is mucR~more^ iike'lv to be that their policy'; 
rxkera fail to make use of the advice o.f their own .technicians (which 
n some cases may be enough to ta*wO thun most, if nbt all, of the way 
o real security) or else that they simply lack resources-material, 
idustrial or financial- to carry out what they know to be necessary. 

If | | come forward now, insisting on a critical examination 

of the situation (based on a realistic acknowledgement of certain facts 
about cryptography that are.. al rea dy, pre btv well known ) and offering help 
from their own experience and~material fesourcesythey can guide their 
allies into use of cryptosys tems that will stand u p against the most 
advanced techniques known tol l and' tn -doing-a© need- 
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not disclose these techniques. If however they continue to turn 
a blind eye to the progress in cryptanalysis made all over Europe 
since 1939 and to refuse to talk about subjects that are in fact' far 
'less secret than they would like them to be, then they must expect 
to see European powers turn elsewhere for advice and assistance, and 
so to lose the opportunity to influence development in the right direction. 
Subsequently they may find that a situation has developed 1 Which they 
arc unable to correct without making really damaging disclosures of 
advanced cryptanalysis in discussion, not only with officers of Allied 
Governments but also with commercial firms in neutral countries v/ho 
manufa cture equipmen t for sale to all comers. This danger is real, 

.and if wish to avoid such a situation they have no time 

..to lose. 

40. Finally, | must not expect the advice to be all 

one way, at least if the discussions are extended to | ‘ ~ * ' 

tions. They may well find that although their own cyphers are for the 
most part sound, yet nevertheless they are giving away in peacetime 
secret information, not obtainable by any other means, through exc ess ive 
use of plain_la nguage and ov er simpli fication of signal procedure, 
iForeignHC londntorg. ni sation s who'~havo T~ I 

may be able to help materially in assessing the extent of leakage 
arising in this way. 
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CONTENT OF DIPLOMATIC TBIBGH/iC 



1, The | fbllow/thu rule that no NATO documents or accounts 

of N ; JO meetings my be passed in national cyphers fairly strictly? Only 
one instance is known to the contrary. Over the last two years they have 
become increasingly careful in the content of tele .roans passed in their 
highly vulnerable medium grade cyphers, although their concern is to 
protect specifioallyl 1 score a ra; her than Allied secrets. In 

spite of this trend 



\ spite of this trend towards an improvement, however, cases still occur 

fa irly frequently of serious compromises of Allied thought and intention 
in , sometimes in the medium grade cyphers. 

“ of March 1953 tha t 1 had pr omised an 

the Middle East in war | land reports 



Examples are a report 
armoured division for 
of January and F ebruary 1953 onf 
Defence CammunitT” 



medium grade cypher). 



.Apart from questions concerning 



the value of the infor mat i on c ont alne d in the telegrams on 
and on areas where the 



viewB on the European 
ese last two in 

| allies , 



| policy 

are in a favourable position to obtain 



informati on are clearly of greater value to unfriendly powers than to 



must thei 
2. 

matio ovi 


refore be thj 


it 


O 

tl 


hey still present a serious danger, 

• 








.commonly use their diplo- 


?h£ra_L0£| 


\ questions. The| |send long reports frornl 1 


tc| on discussions 


within SILiEE, slanted naturally-towards- 



seq_ 



particularly vulnerable when the telegr ams are long. 
ore equally revealing. (Seo for example f 



* '*** ^ 

The cypher used for thefce reports is 



The f 



plans for the develop ment of th eL 
and inoluding 1955). I ltolegra na on thof 



J giving 



away less detail than the corre apondingj_ 

but can be most unfortunate. (Sc.: for oxaiupi.eE 



J and airfields up to 
give 



J telegrams, 
^showing 



that General Ridgeway 1 a report in October to the Atlantic Council was 
passed by this means.) The i" ~*~t have shown some Improvement over the 
past two years in their use of I I 

subjects, but still make occasional reve aling statements. (See for 
example the suggesti on in j [ that of the western countries 



ire most inclined to be impressed by the recent 
mission ononge or tact ion). The cyphers of all these four count i'ics 
are vulnerable, and it must be possible for the Russians from thoir tele- 
grams to arrive at a clear appreciation of NATO plans and policies in 
Europe, and of the relationships of tlx : allies to each other. 



3. 

withgreater reticence. 



cypher!, arc also vulnerable but are used 
iftc worst example of a compromise is probably a 



M. 
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4. The work being d one on armed forces cyphers of NATO countries 

by the | lis res tricted almost entirely td 

machine systems in | Both rare vulnerable. Knowieage oi cnc 

content of/ the messages would be of the very greatest value tactically to 
the Viet Minh forces and they would also yield considerable longer-term 
intelligence. The two systems are used for, among other things, daily 
situation reports, announce.. ent o J I plans, statements on allied co- 
operation with thel ? I activities. 



DEVELOPMENTS IN WAR 



5. The above paragraphs are concerned with what is being given 

away /by insecure cyphers of allied powers in present conditions. The 
valujB of similar information to an enemy in wartime would of course be much 
greater. The continued use by the >f insecure cyphers 

in qio tive oper ations would, fore ..ample, oc a very great danger not only 
to tht j ( themselves but to tmoir allies. Similar considerations apply 

to all other| / [in use by allies. \ That 

in. wartime the cypher security of- one ally must be t'he concern of all 



emerged quite clearly in the < ' 

of intelligence on the 

cyphers of all types. 



war, where we derived- a great de al , 





REF ID : A517801 

TQ? SECRET CY NOE 



EO 3.3(h)(2) 

PL 86-36/50 USC 3605 



DGC/3441 
Appendix 'A 1 
Annexure 1 



\ I are generally exploitable; they 

consist of b adly-used l 
I I There is little reference to NATO matters: the following 

examples are typical of information which does not represent a vital 
leakage^ hut which must be useful to the Russians 



2 . 



(a) 



Matters Concerning the 



"Cockroft in to meet you in Brussels in order to discuss the 
exchange of C 



technicians gave me oral assurance of the fine functioning 

of I 



(u) Details of arms shipments from America:- 




(o) Off-shore purchases :~ 




The situation would be still more unfavourable in time of 



war, since Buch rep orts on firms deliveries in the present £ 



j, movements. 



would give away details of Atlantic shipping 



] 
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Defence questions. The following | 
be of value to Russia, 



Itele^rqjas vk uld 
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In addition tb uro is a considerable quantity of telegrams on the' 
European Defence Community negotiations and on the Middle East Defence 
Organisation, The intelligence contained in them is not of vital 
significance to Russia, but it certainly provides useful background 
information. Some examples are:- 
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6. Far East. The follo'./in g telegrams would be of value 

to the Russians and their I I allies;- 
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(b) 14 has to be recognised that the 



] are less 



scrupulous when reporting comments by representatives 
of other countries, even though allied. ' See for 



(c) 



comment (para 4(i) above) in FTDHP 



(para 4(c) 
(para 6(d) 
(para 6(e) 
(para 4(h) 
(para 3(b) 



) 



) 



are particularly cautious and 

limit themselves tto comments on th\ press and on subjects of 



common knowledge. \Care is evidently taken to include 
nothing of value. 




It must be remembered that the amount of 

that has been read during the period und er I'eviev; ^ias no t 

"been very great. It is a matter ^f speculation whether 

those "which ^ have not been able t<?, 

exploit have in l'aot provided other instances of insecurity, 

and whether the Russians may have beeh able to exuloit\ 

then. 



. . Conclusion. 



From the above analysis, of published| I texts it 

that the amount of vita l information given away by th<l 

fncimri’ne 4 a j'j . n ^ 



lerges 

1 '-he Russ ians is "shall, but that~rT considerable quantity of usef ul 



^okgrouJid information is passed insecurely. 
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NON DIPLOMATIC SYSTEMS 



1. As used by th< | I can provide the 

V'i c;m.y vrilth a very complete picture of the military situation, both 
tactical and strategic. The following are but a feuf typical examples | 
/of the kind of intelligence involved, the majority dated September 195'- 
yto March 1953 : - 

(a) A daily sitren giver-, a .detailed picture both of the effect 
nf l I view of 

enemy dispositions, strength etc. 

"According to documents contained in the brief case 
belonging to the i i 



o>)[ 



and knowledge of energy plans, often sent in 




(o) 



ample time for the enemy to act upon the information. 

"... to bring up to strength the radio teams of Tonkin 
which could be paradropped, and to place two of them in 
Cochin China. These elements will have to be ready for 
lisp. In nnernti nns beginning nn 1 November 1952. " 



Information concerning French Allies. 
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(d) Strategic supplies. 




(e) Tactical planning. 




2. In addition, there is much evidence of the results of 

Sigint which must be of value t o the enemy and also detrimental to any 
Allied co-opera.tion with | in the Sigint field. For example 




3 . 

in 

n 



|appear to be used fairly indiscriminately 

J and in some cases reports in the same series are passed 

“T — l . — _ J ~ 4 T ; ,-m J - n ; 



:\ One, same links using either machine. The type of informr.ticp given 
awa y by th e two systems is thus very similar. In the sample examined 
Jappears to pass fewer messages of a higher level nature than 

n decrypts 



C I".(J 



The follo'.ving are some typical extracts from 
(a) L crypt analytic Status Report;- 
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(b) Tactical sitreps;- 



" Friendly losses were 3 killed and 6 wounded". 




(d) Report on strategic information not to be released to the\ 
press 




(e) Knowledge of enemy order of battle 




(f ) Training programme 




C. Miscellaneous 




The following types of traffic have been seen:- 
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7. The only other traffic seen here, which appears to be an 

intelligence producer, is the joint attache systen j passing economic 

type information, for example:- I 
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(c) Production. 



(d) Stockpiling 



( e ) Communion t ions 
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(f ) 'U,S. - Spanish negotiations 
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\ (a) Details of 1 submarine radars. 



(b) NATO exercise 



(c) Intelligence 
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EXAMPIDS OP COMPROMISE OP CO-BELLIGERENTS BY 



CYPHER COMMUNICATIONS IN WORLD WAR II 



Italians ocmprcmise Germans 

1 . In the Italian "Legations in the Balkan capitals .... 
their Military Attaches talked so freely to Rane fcf German, military 
movements that the Germans eventually held igp their tolegrams" . 

(G.C. A C.S. Diplwjiatio and Canmercial Sigint, Vol. I, p.20) 

2. As regards Special Intelligence concerning the German 
Army in the Mediterranean area in 1941 , "the Italian partner was 
doing much to fill the gap until the end of 1941 , when he introduced 
notable improvements in oypher security" , 

\GLC. & C.S. iUmy and ,iir Force Sigint, Vol. I, p. 226) 

3« Italian "main-lino cypherr ... yielded all through 1941 

a flow of information which threw light not only on Italian 
dispositions and intentions but dri those of the Germans as well ... 

An example was a signal in 1 Tellera’ [cypher] giving the full 
tank strength returns of the two German armoured divisions in 
the Western desert, at a time when no information of the sort was 
available frcm any other source". 

(G.C. 4 C.S. Army and ^ir Force Sigint, Vol. IX, p. 115) 

4. ” * Z3 ' * the cypher used by the Centauro Battle Group in 
Tunisia, for instance, gave on three occasions the complete 
Gorraan-Italian order od battle for a whole sector". (ibid., p. 11 6) 

5. "Falco" , an Italian Air Force "supplementary high-grade 
systora ... besides giving a good picture of Italian-German Air 
Force liaison in the jicgem, carried a good deal of traffic of 
operational importance and provided advance notice of intended 
German reoonnaissances in Asia Minor, Cyprus and Egypt". 

(Ibid., pp. 231-232) 

Reciprocal Compromise of Germans and Italians 

6. Throughout the Western Desert dnd llorth African campaigns, 

Rommel was deprived of suppxies and the Italians lost most of their 
merchant -fleet largely as a result of Allied reading of German army, 
air force and (from August 1942) Mediterranean Enigma traffic and of 
Italian Hagelin (frcm July 1941/ and low-grade traffic. So full 
and detailed was the information concerning shipping, routes ond\ 
cargoes that the allies were abl® to concentrate their attack 
proportionately to the Axis need of individual commodities. N 

(For statistics and details see G.C. A C.S. Naval Sigint, 
Vol. IV, pp. i 58-1 63 . S also G.C. & C.S. Naval* 

History, Vol. XX and G.C. A C.S. Air and Military r 
History, Vol. IV.) y 
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C. Japanese compromise Germans 

7. Japanese Naval Attache Cypher 

Admiral Abe, the extremely efficient Head jof the Japanese 
Mission to Berlin, signalled hone all the information - and, 
considering German caution vis-a-vis their ally, it was an 
astonishing amount - that he managed to extract from German 
authorities in a machine cypher, known to the Allies as JNA 20. 

(G.C. & C.S. Naval Sigint, Vol. II, p. 164) 

"'We are all most impressed', wrote Dr. It. V. Jones, 

A.D.I. (Science), Air Ministry, 'by the technical statements, which 
contain a wealth and accuracy of (detail regarding German iJadar 
surpassing any other Intelligence source during this war. More- 
over, they give us a very good insight into German policy of a 
much more direct nature than we ijiave hitherto attained by other 
methods'. The Admiral went on to contribute first-class, and 
often detailed, information on innumerable subjects of air an 
military interest, as well as na-|al, including the German anti- 
invasion preparations and intentions in Northern Prance", 

(G.C. & C.S. Naval Sig mt, Vol. IV, p. 206. A list 
follows of ten naval scientific inventions (weapons 
and processes), a description of which was first re- 



ceived from this source 



8. Japanese Military Attache Cypher 



,5 



I 

"In February 1944, the Japanese Military Attache in Viohy 
sent a report to Tokyo, based upon statements by General von 
Aunstedt's Chief of Staff, outlining German defensive strategy 
against the invasion", ! 

(G.C. A C.S. Naval History, Vol. XIX, p. 147. Details follow) 

9. For information on the development of German 'Jett aircraft 

from both naval and military attaohe cyphers, see G.C. & C.S. Air 
and Military History Vol XI pp. 19 37, 54-56. 



D. Free French compromise the Allies 

10. "A capturod enemy oryptanalyst who had worked at 'N.a.A. St. 4 

from 1941 until 1945 gave an account of the [Fighting French ] systems 
which had been in use in Syria and West Africa during the period . . . 

He said that in Syria two systems had been employed ... Bbth tyad been 
read in their entirety, and had given a full picture of the strength 
and organisation of the do Gaullist foroes and political administration 
in the country, as well as useful details of British troop, movements - 
the latter especially valuable since the British cyphers could not 
normally be read. The West African ciphers .... were more difficult 
than the Syrian systems, but were usually soluble at least, in part". 

(G.C. & C.S. Army and j»ir Force Sigint, Vol. XI,,, p. 32) 
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11. "After the North African landings serious attempts wore 

made to persuade the Fighting French to adopt systems of British 
or American devising for high level communications, j Those attempts 
perhaps naturally, were not specially successful at /first. Thn 
proffered systems were accepted, and employed to som p extent, 
but the use of private cyphers - often very insccurb ones - 
continued, particularly for messages which it was desired the 
Allies should not see, and which, of course, were for that 
very reason of most value to the enemy. By 1 944. however, 
an all-round improvement ... had taken place", (ibid., p. 33) 
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1. 



has recently had an opportunity to examine a copy of 



"Precis de Crypt ographie Modeme" by Charles Eyrau&A (Paris Editions 
Raoul Tari, 10 Rue de Buci, Paris VI e 1953). This work is not foi^ 
sale to the general public, but at the same tiite it carries no mark of\ 
security grading. The preface acknowledges help received by the author 1 - 
from Col. Black; the latter however has stated that he has had the book 
carefully "purged" of anything that might be pre judical to the work of 
his department. 



rs 







2. It follows that the opinions expressed in this book do not 

necessarily represent the level of technical knowledge of the best French 
experts, e.g. it would be wrong to judge French knowledge of drum machines 
from the following curious passage relating to the German Enigma (which 
is badly and innacurately described); 




"ThU3 one sees that the supplementary, plugboard is a very important 
•rp security factor. But even without it we cannot see how the drum 
wi ring c ould be recovered. One may therefore state that this 
machine ~T 3~ffrict i ca l 1 y indecyphofable. " ' 

3. When, however, perfectly sound statements are made about the 

basic principles of cryptography one nay assume that these are regarded 
as commonplaces. 



4. The following extracts give examples of such statements, many of 

which are highly relevant to present French practices. It is noteworthy 
that many of these contain quotations from older works. 

(On Cypher Machines in general) 

\ j 

(i) "There is no doubt that length (of key stream) on the one 
hand, and a large number of alphabets on the other, (and 
finally the complexity of cyclic mechanisms, (including 
factors of irregularity which make reconstruction more 
difficult) are principal elements for appreciation of the 
cryptographic value of a machine. But they are not the 
only ones; one would be very wrong to believe that they 
constitute a formal and absolute indication. 

.jiy machine has to be used properly. It must also be adapted 
to its use. "Some excellent razors are most dangerous in 
the hands of a monkey" (says Givierge) "and some delicate 
revolution counters would work badly on the wheel of a 
turf -barrow, " 



\ 
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"Thu choice of agreed keys" according to General £$acco 
"mtuvb not ha loft to the initiative of cypher operator b but 
mu at, bo made in a central off ioi ", Often in fact, if a 
change of the outer key does. not affoct tho sot up of the 
machines c»r the key series but only tha starting point on the 
latter one may have; ro-uno of a "portion of the key series 
already none), for another message and in consequence long 
repents vhlch reveal the coincidence and help the cryptanalysis," 

Part II Pnra 115 

(ii) In assessing a machine, account should bo taken of the fact 
that its permanent characteristics cannot remain secret, and 
also of all possible accidents. 

IBID 

( On the T-bP Machine; ) 




"We have seen that for on-line teletype cyphers 120 single 
keys obtained by permutation of the five impulses are less 
efficacious than 3 ? keys obtained by change of polbrity. This 
in enough to .".ho that tile crude tiumbor of single keys used 
in only a first indication." 

IBID 



(i'v) Givi urge has spoken of "malpractices that theory fcnnnot 

predict though their existence is attested by experience" 
and more recently Sacco hns added that "cypher operators 
do enough to help Idle enemy." 

IBID Part £11 Para 36 



( On additive systems ) 



(v) "T'o cryptograms with the same re cypher key can in theory bo 
decrypted" in practice it i« tiooessary to have at 

least a third text". , , ' 

iBlD Port III Pnra 30 

( On plain codes ) 



(vi) "in nn^r case, as General r.acco nays, secret codes are only 
secure 'on condition that they arc not and never have been 
used without 1 'fioyphermunt , tho latter being very frequently 
changed. " 

TblD Part III Para 30 
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SECURITY OF TI 



INTRODUOTIC 




The U.IC. views are summarised in the following paragraphs 




Evidenoe available from U, S«-U.K, | j ia auffioient, 

in the U K. viaw, to show that the following require remedial action. 




The U.K, view is that the problem is one for disousslon among 
oommunioation security offioers, and that it is essential for U,;K, and U.S 
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Security, September, 1951 . 
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8. The U.K. view ia s "shock tactics" of this kind are unlikely 
to be effective especially when they are accompanied by a "cover story" 
which is unlikely to be believed; the only way to achieve improvement 
in security habits is by educative action and by influence of the 
"public opinion" (if such a term indy properly be used of a very 
secret subject) of other powers' Ccmsec officers. 

9. But the dictum of the U.S.C.I.B. ad hoc Committee referred 

to in para 7 above has in the U.K. view another serious weakness in that 
it is based on the assumption that it is possible in matters of cypher 
security to "have it both ways". This assumption has appeared at 
various times in discussion in wo different forms: 

(i) that it is possible to devise cyphers that are just good 
enough to defeat the Russians but contain weaknesses 
that can be exploited by U.K./U.S.; we cannot know 
anything of the l~vel of competence of U.S.S.R. 
cryptanalysts. 

(ii) that it is sufficient to limit improvement of security 

to specified cryptochannels or to telegrams on specified 
subjects. This will not do; it is not possible to* 
forecast in advance which cryptochannels are going to carry 
important messages and it is not enough to insist on use 

of NATO cyphers when documents ore; 1 , 1 ™ mr> nn "" Tn — | 

) 3605 without also taking steps to protect the security of NaTO 

fringe traffic or national comment on NATO discussions 
which may legitimately be sent in national cyphers. 



(d) Armed Faroe Cyphers of the other NATO Powers 

10. Little is known, from Sigin t souraes, of the armed farces cyphers 

of any European pewer except and if as seems probable they are no 

better than the diplomatic oypners tney would be, in varying degrees, 
dangerous to the security of any forces operating with them in war. 

(e) Cypher machine development in Europe 

11. It is known that new cypher machines are being developed by 
several NATO governments and by commercial firms operating in neutral 
countries. 

(i) The have designed cypher machinos which they 

intend to use for their armed forces; these machines 
embody sme fiarly advanced techniques but from information 
at present available appear to be most insocure.(l) 

(l) See memorandum from Italian Military Mission In Washington 

to Secretariat of the Standing Group, No. 09 2 7/SRP , 
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machines which will undoubtedly be much better than the 
, same firm's pre-war models, but may still be not secure 
against modem crypt analyt ic methods. 

12, This list is probably not exhaustive , and these developments 

merit close attention from U.K. and U. S. While it is entirley possible 
that European powers may work out their own salvation, with or without 
the aid of commercial firms it is to be feared that they may only arrive 



of current U. K. /U. S. thought on cypher machine design. It v/ould be 
therefore better to appro ch these European powers before their own 
development has gone too far, and persuade then to adopt well tried 

U.K./U.S. methods. 

(f) Decisions to be taken at the Conference 
(A) Countries to be covered 



(B) Timing of action with relation to physical security 

The 1951 Conference agreed a limited programme for an approach 



expressed themselves/ satisfied that such improvement has gone far enough. 



15 While it is agreed that we ought to adjust our methods to 

takv. account of differing physical security conditions in various 
countries it may be said 

(j) that physical leakages will seldom if ever be so gross 

as to provide a source of intelligence as rapid, complete, 
reliable and (above .all) authentic as that derived from 
/ a major breakdown in communication security; conditions 

need to be literally hopeless before one can say that there 
is no point in improving cypher security; 
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(ii) One should however not delay~Ihitiating action on cypher 
security pending expected improvements in physical 
security, because neither can be put right overnight* 

16. The U.K. recommendation is the refore t hat there is no case 

for any further delay in approaching tho | | and that physical 

security of other nations might be considered as a valid reason for 
taking no aotion at all, or for taking modified action but not for delaying 
action. 



THE APPROACH TO THC | | 

17. Having settled the scope of action intened the Conference should 

in the U.K. view consider an approach to the Government with a view to 

first improving their communications security and then inviting thorn to 
associate themselves with any scheme. that may have been agreed between 
U.K. and U.S. for approaches to other NATO nations. • 



18. It is recommended that a single approach be 

covering all cyphers of all services in respect of whi 
has decided that action must be taken. 



made to the | 
ch the conference 



exposure of 



19. Previous projects for approach to the Government' on 

the delicate subject of the security of their national cyphers have been 
based on the assumption that this insecurity is due to ignorance 
of the art of cryptography which cannot be removed without exposure of 
’’sophisticated" cryptanalytic techniques. Yet after all the basic principles 
of cryptogra phy are f ew, simple and well known to all cypher experts 
including th j and do not constitute the "secret" upon which 

the success of cryptanalysis depends. The "secrets" of cryptanalysis are 
rather these: 

(i) that situations arise in the use of cyphers which would 

instantly be condemned as insecure by any one instructed in 
cryptography; 

(ii) that other situations ariso which an instructed ijerson 
would admit to offer at least a theoretical risk of 
insecurity, but which require "sophisticated techniques" 
to exploit them, and that these techniques have been 
devised. 



20. The only way in which improvement in 

eventually obtained is by cooperation on the tccmuca. 

I communication security officers. 



can be \ 

>et ween | [ 



21 . The object of the first approach therefore woul'fbtr to bring 

about a frank exchange of information that would serve as a basis for 
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subsequent discussion among responsible communication security officers. 
One of the points that the Conference must decide is whether this initial 
exchange should be made: o o/hwo 



(i) at a tripartite meeting; 

(ii) at sex^arate bipartite meetings, 

(iii) at a single bipartite meeting where either U.K. or U.S. 
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22. The tripartite arrangement would be the best, apart from the 

fact that it would be impossible to conceal the fact that U.K. and 




undoubtedly be assumed. It is therefore recoi.mended that the meeting 
be tripartite. 

23. The exchange can be initiated in two ways only: 

* 

(i) by inviting each party to describe its own communication 
security methods, which would then be discussed on general 
cryptographic grounds by the other two. 




24. The second approach is recommended, as being more sure of its 

effect. 

(i) Initially at least it may be somewhat embarrassing but it 
will have less long term disadvantages in that it does 
not commit anybody t^ disclosure of details of their own 
systems which they consider irrelevant or do not wish to 
ment ion. 

(ii) Although thi3 approaoh implies a tacit admission of 



' 'This is something more than a polite fiction. We already know that 
the l | i have been monitoring our manoeuvre traffic and have found that 

they can exploit traffic security weaknesses, such as use of P/L. 
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crypt analytic success it does not involve any disclosure 
of methods. The line taken is "we see that you do this 
or that and we consider it on principle to be wrong" not 
"look how we can break your cyphers". 

25. iifter the three parties have made one another aware of the 

elements of the problem they should constitute a tripartite advisory 
? ■■ committee of communication security experts with terms of reference: 

(i) to examine any weaknesses in national communication 

security systems of the three powers that may oome to the 
knowledge of any one of them and may be regarded as 
affecting the interest of all; 

(ii) to 'make recommendations for remedies; 



(iii) to consider joint action in the common interest with regard 
to the security of other friendly powers. 
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no security value whatever. 

29. When it come s to the higher grade systems it is however necessary 

to consider whether the could he convinced of the insecurity of 

their systems without exposure of soitu. more or less "sophisticated” tech- 
niques: 



IffliiSURES TO IMPROVE 



CYPHERS 



improvement; U.K. and U. S. should not decide at the Conference what they 
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propose to offer in the way of assistance and he a greed on priorities 



but should endeavour in subsequent discussion with the | | 
their aid (which will certainly not amount to an ir.ime diate so. 
the whole problem) wherever it best fits with French needs. 

31. It is doubtful whether tip C. C.M. machine propose d 
of the 1951 conference should be offered now to the L 



to apply 
ution of 



in the report 




(ii) The 1951 proposals envisaged issue ,f 20 COM immediately 
and a total of 80 eventually; it is probable that U.IC./U. 8. 
would find it difficult to moot this programme today. 

(iii) However if the| [vrould like a certain 

number of CGM, then these can be supplied within limits 
set by availability, 

! / ■ ■ ■ 

32. One-time pad, proposed in 1951, is an excellent solution, 

wherever practicable. 

(i) The 1951 conference agreed that technical instruction 

in manufacture of random tables could be given to the 
without disclosing cryptographic informat ion( ii) and 
that this was an important and major requirement. It is 
still more important now that thd land others are 

showing signs of producing now ana perhaps inferior methods 
of one time key generation. Rather than discuss these we 
would prefer to persuade the | that our own methods 

are well tried and sound, without however appearing to 
\ "instruct" them as if they were complete beginners in the 

are of making random key, 

\ (ii) The allocation of one time pads is probably best organised 
by the| | themselves. We should not, as was proposed 

v by the U.K, in 1951# produce a ready made scheme of 

individual and multiple-address t .-ads, which in our opinion 

(■^The latest modification, , is a considerable improvement on 

the original machine, but even so CCm must be regarded a s overdue for 
replacement, 

(l I ) Enclosure A para 33 1951 report. 
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N would save them time and trouble. However suggestions from 

all parties could be considered in Committee, 

(iii) The^'physical security provided by methods of 

packaging OTP 4 s likely to be of interest and it is 
recommen ded that it be described. (it is also possible • 
that the may wish to take into account the 

difficulties or physical security when considering any 
' plan for multi-address pad systems). 

(iv) There are undoubtedly ways of making the M209 much more 
nearly secure. These might well be considered subject 
to U. S. being, able to provide a substan tial number of M209 
equipments and subject to the f inding them workable. 

(v) T he I is now regarded 

by 5.5 ve r y aacufe pf6Vl<Ud th5t t he basic lug 

settings are chosen from liraitod lists which can be readily 
calculr. tod on a large computing machines - if u. 3, 
are able to make this machine avail able at an early date it 
would be very suitable f:r offer to | | (or to other 

NdTO powers') provided that a clear explanation were given 
of the reasons for using the limited list of basic lug 
settings. These re. sons could be convincingly derived from 
first principles (need to ensure as e ven as possible a 
distribution of key values). Once again any attempt -to 
dictate would be fatal, leading to suspicion of motives or 
wilful refusal to use the "good” list. 

33. It is hoped that enough has been said to dispose of the idea 

taat the procedure advocated would lead to exposure of "sophisticated 
crypt analyt ic tech niques". (Appendix 0 to this paper contains examples 
taken from a recen t I work on cryptanalysis with quotations from 

older works showing basic principles which are obviously commonplaces 
to any modern technician and which should suffice for a criticism of most 
if not all insecure European systems in use today). 



EXTENSION TO OTHER POWERS PL 86-36/50 US 

34. It is proposed that other NiiTO powers, whose cyphers are held 

to be xn need of improvement should in turn be invited to send represent- 
atives to the Tripartite Committee. ; 

35. Would undoubtedly, all have 

cypher experts capable of understanding and accepting the arguments used 
in assessing a cryptosystem. There is little fault to be found with their 

| and we have no knowledge of their |~ | 

and could only obtain it by prolonged ^igint study (likely to be most 
wasteful of effort) or by simply asking the... fur details. Th e .y should 



NSA Fen. 781-CuS 1 Jul 5S 






! & ftv 



REF ID :A517801 




t- 



O ANOE 



I - 



* •' 






DGG/3441 



EO 3.3(h)(2) 

PL 86-36/50 USC 3605 

probably be left alone altogether or else regarded, as potential givers 



.Mv-T 


of help. 


Jtw 


(i) 


j&t-i • 
«- . 


(ii) 



has a one-time tape generator, believed secure. 




37. 

known that the C 



[ 



be possible eventually for the£ 



too appears >fco be b ackward in crypt matters. It is 
] are help ing the I I on Comint and it might 

3 to approach them on Comsec, on 



which they are in very urgent neec( of advice. 



38. 



It is difficult t o guage the level of crypt knowledge in 

| | ; they may all well have quite good 

orypt analysts. Here again the only approach that cap be tried with 
any hope of success is the educative one. If there is not already in 
these countries a crypt expert capable of appreciating the argument 
from first principles then they must bpgin by sending a man for a 
training course which should be based ijja the published literature. 



CONCLUSION 

39. Strange though it may seem, the security of a government’s 

cyphers is a most unreliable index of the skill pf that government’s 
cryptanalysts. If a nation uses bad cyphers the'reason may be that they 
know no better, but it is much more likely to be that their policy 
makers fail to make use of the advice of their own technicians (which 
in some cases may be enough to ta^o th*-in most, if nbt all, of the way 
to real security ) or else that they simply lack resources-material, 
industrial or financial- to carry out what they know to be necessary. 

If | |come forward now, insisting on a critical examination 

of the situation (based on a realistic ackno.a.edgement of certain facts 
about cryptography that are already pretty well known) and offering help 
from their own experience and material resources, they can guide their 
allies into use of cryptosystems that will stand up against the most 
advanced techniques known to N.S..L. and G.C.Ii.a. , and in doing so need 
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not disclose these techniques. If however they continue to turn 
a blind eye to the progress in cryptanalysis made all over Europe 
since 1939, and to refuse to talk about subjects that are in fact far 
less secret than they v/ould like them to be, then they must expect 
to see European powers turn elsewhere for advice and assistance, and 
so to lose the opportunity to influence development in the right direction. 
Subsequently they may find that a situation has developed 1 which they 
arc unable to correct without making really damaging disclosures of 
advanced cryptanalysis in discussion, not only with officers of Allied 
Governments but also with commercial firms in neutral countries vrtio 
manufacture equipment for sale to all comers. This danger is real, 
and if U.K. and U.S. wish to avoid such a situation they have no time 
to lose. 

40. Finally, U.K. and U.S. must not expect the advice to be all 

one way, at least if the discussions are extended to Armed Forces communica- 
tions. They may well find that although their own cyphers are for the 
most part sound, yet nevertheless they are giving away in peacetime 
secret information, not obtainable by any other means, through excessive 
use of plaih language and over simplification of signal procedure. 

Foreign Comint organisations who have intercepted U.K. , U.S. traffic 
may be able to help materially in assessing the extent of leakage 
arising in this way. 
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CONTENT OF i/RjvIED FORCES COlMiNICATIONS 



4. The work being done on armed forces cyphers of N.sTO countries 

by the U.It. /and the U. S, is restricted almost entire ly to ] 

J. Knowledge of the 



] 



content oiy the messages would be of the very greatest value tactically to 
the Viet Minh forces and they would also yield considerable longer-term 
intelligence. The two systems are used for, among other things, daily 



III 



DEVELQRffiNTS IN WAR 

5, The above paragraphs are concerned with what is being given 

away /by insecure cyphers of allied powers in present conditions. The 
value of similar information to an enemy in wartime would of course be much 
greater. The continued use by the | ] of insecure cyphers 

in active operations would, for example, be a very great danger not only 
to the French themselves but to tneir allies. Similar considerations apply 
to fill other armed forces and diplomatic cyphers in use by allies. That 
in. wartime the cypher security of cne ally must bo the concern of all 
emerged quite clearly in the 4 939-45 war, where we derived- a great de al # - 
of intelligence on th^ *] 

cyphers of all types. 
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\(a) Matters concerning the Atomic Energy Commission •- 




(b) Details of arms shipments from America; ~ 




Off-shore purchases 




2. The situation would be still more unfavourable in time of 

war, since such rep orts on arms deliveries in the present! ~| 

I would give away details of I 
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In addition thoro is a considerable qua ntity of t elegrams on the • 

| and on the I 

Organisation, The intelligence contained in them is not of vital 
significance to Russia, but it certainly provides useful background 
information. Some examples are:- 
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9 • Conclusion . 



From the above analysis, of published texts it 

emerges that the amount of vital information given Aw'iy by the 
v.o the Russians is snail, but that a considerable quantity of usefu] 
background information is passed insecurely. 
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Strategic supplies. 




(e) Tactical planning. 



2 . 



i . i 




In addition, there is much evidence of the results of 

] which must be of value to the enemy and also detrimental to any 

lied Co-operation with'! I For example 



B. 

3. 

in 

on 

av.’a; 



th{ 




The 



appear to be used fairly indiscriminately 
Indo-Chinaj ana m some cases rejorts in the same series are passed 
the same links using either machine. The type of information given 
y by th e two systems is thus very similar 1 . In the sample examined 
] appears to pass fewer messages of a higher level nature than 



the 



4 . 



The following are some typical extracts from 



(a) A cryptanalyt ic Status Report 
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(b) Tactical sitreps;- 



(d) Report on strategic information not to be released to th£\ 
press;- ! 



(e) Knowledge of enemy order of battle 



(f) Training programme 



C. Miscellaneous 
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7 



The only other traffic seen here, which appears to he an 
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T he main | \ \ \ | which as 

used by the | | is quite insecure and could be read by any organisation 

possessing rapid analytical machinery. Other systems, usually code with 
additive, are occasionally read, but do not normall y concern major 
political subjects. There is also a | ~~| believed to be 

ft I which is not at 



present readable. 

2. The \ and more particularly J he 

links pass a considerable number of reports on NATO matters, and the 
I I has made a practice of reporting on 

~~f |although in less detail than the i | 

~| There is some evidence that they are aware of their cypher 
responsibilities in this matter. For example, I I 

gives a general report on an American statement made at a meeting of 
the Atlantic Council, and concludes by saying that the text of the statement 
would be sent in Typex. 

3. Nevertheless, readinfe of this traffic must give the Russians a 
fairly comprehensive picture of general NATO planning and e -uipment. - 
For example:- 

/ I 

a) ! Reports on NATO meetings 




(b) German attitude to EDO 




(c) Equipment policy 
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(b) Airfield oonatruotion. 




I (d) Infrastructure. 




(e) German participation. 
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_ introduced. in October . 

matters can be fully solved on messages of more than 500 groups, and a 
high proportion of messages are of considerable length. The military 

— — t - 1 — — I badly used and quite easily readable, 

sometime s va t TO ' U t tn ~ g ms 01 ratCT i analytical machinery. Nothing is 
known <->f l I but it must be assumed that they are 

quite insecure and may be giving away considerable detailed information 
of tactical and strategic value. 

2. yields a wealth of information on 

NATO planning, strategy, equipment, etc, , which must be of very high 
value to the Russians. The following examples are typical of the 
intelligence provided 



(a) The] 



contribution in case of war. 
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EX.'j'IPLES TAKEff FROM THE LITER 'JURE OF CRYPT.LHALYS IS 
.'HD CKYFTOC-R.JHI SECEDING BASIC PRINCIPLES WHICH -RE 
OBVIOUSLY CCKM0NH»X3B TO ANY MODERN TECHNICL’J* 



I. | I has recently had an opportunity to examine a copy of 

"Precis de Cryptographie Modeme" by Charles Eyraud/' (Paris Editions 
Raoul Tari, 10 Rue de Buci, Paris VI e 1953). This work is not for 
sale to the general public, but at the same tilde it carries no mark of. 
security grading. The preface acknowledges help received by the author 
from Col. Black; the latter however has stated that he has had the book 
carefully "purged" of anything that might be pre judical to the work of 
his department. 



2. It follows that the opinions expressed in this book do not 

necessarily represent the level of technical knowledge of the best French 
experts, e.g. it would be wrong to judge French knowledge of drum machines 
from the following curious passage relating to the German Enigma (which 
is badly and innacurately described); 

"Thus one sees that the supplementary plugboard is a very important 
security factor. But even without it we cannot see how the drum 
wiring could be recovered. One may therefore state that this 
machine is practically indecypherable. " 



3. Tfitoen, hovrever, perfectly sound statements* are made about the 

basic principles of cryptography one nay assume that these are regarded 
as commonplaces. 

A. Tile following extracts give examples *of such statements, many of 

which are highly relevant to present French practices. It is noteworthy 
that many of these contain quotations from older -forks. 

(On Cypher Machines in general) 

(i) "There is no doubt that length (of key stream) on the one 
hand, and a large number of alphabets on the other, and 
finally the complexity of cyclic mechanisms, (including 
factors of irregularity which make reconstruction more 
difficult) are principal .elements for appreciation of the 
cryptographic value of a machine. But they are not the 
only ones; one would be very wrong to believe that they 
constitute a formal and absolute indication. 



Ixiy machine has to be used properly. It must also be adapted 
to its use. "Some excellent razors are most dangerous in 
the hands of a monkey" (says Givierge) "and s ome~delicat e 
revolution counters would work badly on the wheel of a 
turf -barrow. " 
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**'fho choice of agreed keys" according to General Sacco 
M mmvt not ha loft to the initiative of cypher operators but 
munt bo made in r» oont.m.1 officii". Often in fact, if a 
change of the outer deny doom not affect tho net up of the 
machine or the key our lan but only tho starting point on the 
latter one may have re-use of a "portion of the kdy series 
already used for another message and in consequence long 1( 

repents «hlch reveal the coincidence and help the cryptanalysis. 

Part II Pnra 115 

(ii) In assessing a. machine, account should bo taken of the fact 
that its permanent characteristics cannot remain secret, and 
n 3 no of all possible accidents. 

IBID 



( On the T-b? Machine ) 




"We have neeri that for art- Lino teletype cyphers 120 single 
keys obtained by permutation of the five impulses are less 
efficacious than J> keys obtained by change of polarity. This 
in enough to sho that the crude utimbor of single keys used 
is only a first indication." 

IBID 



(i'v) Givi urge lias spoken of "malpractices that theory cannot 

predict though their existence is attested by experience" 
and more recently Snco.n lias added that "cypher operators 
do enough to help tin,* enemy. " 

IBID Part jEII Para 36 




(v) "T”o cryptograms with the same recypher key can in theory bo 
decrypted" in practice it is necessary to have at 

least a third text". pfelp part’ III Pnra 30 




(vi) "in nny case, as General ttnooo says, secret oodod are only 
Secure -on condition that they are not and never have been 
used without reoyphornwnt, the latter being very frequently 
changed. " 

Tum Bart III Para .50 
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